Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
748
Views
5
Helpful
1
Replies

Authorization Profile Attr 25 Group_Name

OrkhanRustamli
Level 1
Level 1

‎11-28-2019 08:30 AM - edited ‎11-28-2019 08:39 AM

Hey all,

I am trying to finalize my ISE Checkpoint Radius connection for VPN Authentication. Only problem I have, in authorization process, I want ISE to send first Group of user (I am authenticating internally) to checkpoint as attr 25. 

However ISE sends "User Identity Group:Group_Name" which checkpoint does not understand prefix. I need class 25 attribute as only Group_Name to be delivered to checkpoint. Can I twick ISE to do that by creating new attribute in dictionary maybe?

Thanks in advance!

PS:. I know I can create several Profiles with manually added Group names and create Policies based on OU but I want it to be one policy where first group name will be delivered automatically but without prefix.

 

0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎11-28-2019 05:12 PM

Hi @OrkhanRustamli 

 

There is no way to manipulate the RADIUS Attribute strings in the Authorization profile. E.g. if you wanted to strip/add some text to an attribute :-( - this should be a standard feature of any RADIUS server - but ISE is very prescriptive in this regard.

 

You wanted to map only the Identity Group name to the RADIUS Class attribute - ISE has a Common Task for that called "ASA-VPN" - it automatically brings up the drop down list - and if you choose Identity Group Name, then ISE still prefixes the Group Name with the string "User Identity Groups:" - is there any feature in the Checkpoint that allows you to match on a regex?

Customers Also Viewed These Support Documents